What is a risk?
A risk is a threat of exploiting a vulnerability in an organisation’s IT systems. It could cause damage to the organisation’s reputation, loss of data, or loss of business. These risks can include:
- Intrusion - A person, program, or process enters a system without authorisation and makes changes.
- Accidental loss - An employee accidentally deletes data, or an employee accidentally deletes all their data.
- Malicious intrusion - Someone intentionally enters your system to steal data, destroy files, or do other malicious acts.
- Data leakage - Someone leaks information about you to the public through hacking or other means.
What is a threat?
Threats are anything that can cause harm to the privacy of your information. They include any circumstance that could lead to loss, destruction, or unauthorised access to data. For example: natural disasters, human error (unintentional errors), and malicious attacks.
There are several types of threats, but they all share one common trait: they can compromise the confidentiality, integrity, or availability of your information. There are many ways you can protect your data from threats, here's three:
- Physical security
Physical security includes all measures to protect physical access to your computer system and data. For example, locking doors and windows and using guards to monitor entrances and exits.
- Information security
Information security includes all measures to protect against unauthorised access to your computer systems, applications, user accounts, data, and information stored on those systems. For example, changing password regularly so that would-be attackers can't easily guess them.
- Data privacy
Data privacy refers to protecting personal information such as names, addresses and phone numbers from discloure without consent. This includes keeping it secret from third parties who might use it for marketing purposes.
What is vulnerability?
The concept of vulnerability is used in information security to describe the risk of a system or data set being damaged by an external attack. Vulnerability indicates there's a possibility for compromise or damage, but it doesn't necessarily mean that the system or data set has been compromised.
You can define vulnerability as a lack of availability of a security system, whether it be an individual, group, or organisation. Here are a few reasons why a system may become vulnerable:
- The system may not be secure. The system is vulnerable to attacks from hackers who can bypass the authentication process if it doesn't, for example, support biometric authentication.
- The environment the system operates may not be secure. An organisation that uses insecure wireless connections to connect to the internet is potentially vulnerable to unauthorised access to its files.
- The data contained within a system may be vulnerable. Data that's incorrectly encrypted while being transmitted or stored might cause weaknesses in systems and may lead to unauthorised access by third parties.
Vulnerabilities can come in many forms:
- Technical vulnerabilities (such as weak passwords or outdated software)
- Human errors (like not encrypting sensitive files properly)
- Malicious attacks (like hacking into systems)
However, vulnerability is a determining factor only if a certain risk becomes a threat. For example, the same risk can become a threat to a more vulnerable system but not to a less vulnerable system.
Conclusion
Risks, threats, and vulnerabilities are important concepts in information security. Risk is the likelihood of a threat or vulnerability occurring. Threats are the actual occurrences of a risk that could cause harm to a system or its users. Vulnerabilities are flaws in the security of a system that makes it more vulnerable to attack by an exploit.
If you enjoyed reading this, learn about the importance of cyber security risk assessment and explore our ISO 27001 consultancy services today.
Schedule a free demo with our Infosec experts today to see DataGuard’s Infosec-as-a-Service solution in action.
